Caller-ID Spoofing

Caller Identification, or “Caller ID” for short, is a system by
which the phone number of a calling party is transmitted in parallel
with the ringing signal to a telephone set. With conventional wired and
cellular telephone services, the number of the calling party is
determined
accurately from telephone company records and transmitted by the
carrier's equipment. Unfortunately this is not the case with
Voice-over-Internet-Protocol (VoIP) telephone systems. With VoIP
systems, the callerID number originates from the caller's computer. An
honest VoIP caller enters his number correctly into his VoIP software
when he sets up VoIP, and it is transmitted to people he calls. But a
dishonest VoIP caller can enter any number he wants, even a different
one for each call. This process, called “Caller ID Spoofing”, enables
junk callers to put any number they want on your Caller ID when your
phone rings. In many ways it is analogous to e-mail address spoofing.

Scammers, knowing that people tend to block numbers which originate junk calls,
often spoof a different, random number on every call they make. There really is
no point in blocking such a number, because they'll probably never use it again.
And if you're really unlucky, the number they spoof might really belong to someone from whom
you might want to receive a call on another occasion, whom you wouldn't want to inadvertently block.

Personally, I only bother block numbers if they (a) leave more than one junk voicemail, and
(b) show up as “Scam or Fraud” in the reverse-lookup feature of
whitepages.com.

One morning my cell phone rang with a number I didn't recognize. When I
answered, a recording said “This is cardholder services, calling about
your current credit card account....” Since it did not mention which
account, I knew it was phony, and so I added the number to my growing
list of “do not ring” numbers. But probably they will not use that number again anyway.

Pacific Gas & Electric

My home land line rang, displaying the number
800-743-5000 (which happens to be the main customer service number for
Pacific Gas & Electric). I answered on the first ring, but as I said “hello” the caller hung up.
Thinking this odd, I called PG&E back and followed the menu prompts
about “suspicious phone calls” to learn that there is an on-going scam
where callers spoof PG&E's number and demand payment for an
allegedly overdue account. Actually I am glad that my caller hung up,
but annoyed that they called at all.

On another day, I received another call also apparently from PG&E. This time
when I answered, the caller launched into a spiel about how my account was overdue, and I
needed to pay up right now or else my power would be turned off, and he would be happy to
take my credit card number over the phone. I asked, “So please tell me, which account
number are you calling about?” He immediately rattled off a ten-digit number. I said, “Please excuse me
while I verify that against my most recent bill.” I went to fetch the bill, but by
the time I had returned with it (bearing an account number not even close to the one he had given me),
he had already hung up.

Visa Global Customer Care

On Wednesday, February 28, 2018, while on another call, I was alerted to a call waiting
from Visa Global Customer Care at 800-847-2911. I let it roll to voicemail, but no message
was left, so I called back, worked my way through the menu tree, and pressed Zero for a
representative. I said I was returning their call and asked what that call was about.
The representative asked whether I had recently reported a card lost or stolen. When I
said “no” she explained that the only time they make outgoing calls is to
follow up on such reports, but a scammer has been spoofing their number onto calls
offering to lower interest rates, as a way of tricking people into divulging their
card numbers and other personal information.

DHL Express ServicePoint

On Friday, June 22, 2018, I received a
voicemail
for which the caller ID showed DHL Express ServicePoint at (800) 225-5345 (their real number).
I think it was spoofed because (1) I was not expecting a package from DHL,
and (2) the recording was in Chinese (I think), which I don't speak.
If you can understand it, please contact me with a rough translation

According to reports at 800notes.com, the
DHL number is frequently spoofed to get past our natural defenses.

Other Agencies

Sometimes a scam caller will claim to represent the FBI, IRS, or some other
agency and invite you to Google their number to “prove” it. The result may
show that the agency's real number matches that on your caller ID, except that they're not
really calling from that number—they only spoofed it!

Scammers often spoof a number whose area code and “prefix”—first six digits total—match the number of the victim they are calling,
because they know people are more likely to pick up a call whose origin looks local, assuming that it is a neighbor. In reality,
the caller could be anywhere in the world. A good rule of thumb is, if you don't recognize the name that comes with the caller ID,
or the calling number is not in your contacts, let it roll to voicemail. If it's important, the caller will leave a message.

Often, in spoofing a local number, a scammer will choose a number which actually belongs to someone in your community.
On more than one occasion when I have called back such a local number, the legitimately innocent party there was
completely unaware that their number had been spoofed onto spam calls. There is no point in getting angry at such
a person (it's not their fault) or in blocking the number (it probably won't be used again), but politely explaining
what happened may help them understand other angry calls they may have received. You may want to give them a link to this article:

In San Jose, California in October 2018, Eric Greenwood received a call, apparently from his wife's cell phone since her name and contact photo appeared. He heard screaming and crying in the background, as a male voice told him that his wife had been kidnapped, and demanded $1500 ransom. After he had paid the ransom, he called back to his wife's phone. She answered and said she was fine and knew nothing of any kidnapping. That was when he realized he'd been scammed.

For more information

On Wednesday evening, April 18, 2007, I got a call on my cell phone, apparently from a telemarketer.
He gave his name as “David” and said he was calling from the “American
Grant Information Center” and that my number was randomly selected by
computer from among all US residents and that I was eligible to receive
free grant money. [Yeah, sure!]

For this call, my caller-ID indicator displayed as the calling number
my own cell phone number! Obviously, I was not calling myself, so his
computer was falsifying its caller ID through a technique known as
“Caller-ID Spoofing” (see above). When placing a call with the right equipment
and software, it is relatively easy to forge any number you
wish to be displayed as the caller. In this case “David”
was setting a fictitious calling number matching the actual
called number (mine). Find more about Caller-ID Spoofing in
Google
and
Wikipedia

I asked “David” for his company's phone number “so that I can call you
back” but he refused to divulge it, insisting on sticking to his own
patter about free grant money for me. I told him that I was on the Do
Not Call registry and that his phone call was illegal unless he fully
identified his company and their phone number. Actually, it was illegal
regardless, but I wanted as much information as I could get to file with
my complaint. He wouldn't tell me any more so I hung up.

But here's the most important part, and it's really scary:

Suppose I
had not answered the call? My [former] cell phone service
Cingular (now AT&T Wireless)
forwarded all calls which are not answered directly into their voicemail system.
By default, when that system recognizes the caller ID as matching the
phone number whose mailbox is being called, it automatically logs the
caller in with the full authority to control the system (play incoming
messages, set personal options, record new greetings, etc.). Therefore,
if I hadn't answered, “David” would have had full control over my
voicemail system!

Closing this exposure was simple: I just needed to configure my
voicemail system to always ask for my password regardless of the caller
ID. On Cingular's system this is called “Turn off 'Skip Password'” and
is implemented by logging into voicemail and pressing these keys:

If you have a non-Cingular system your exact keys may vary, but the
principle is the same.

Now I'm wondering whether “David” really was a telemarketer, or if perhaps
his “free grant money” patter was really a cover for his real purpose of
looking for unsecured voicemail systems he could hack into, perhaps for
purposes of harvesting personal information for nefarious purposes.

The moral of this story is:

If your voicemail system doesn't always ask you for your password, I
strongly recommend that you reconfigure it so that it does. Otherwise,
a hacker, easily spoofing your own number as their own, could call
right in and take over your voicemail system, playing and deleting your
messages, changing your settings, and more.

SpoofCard

Note: As author of this page, I see my primary responsibility as warning potential
victims of caller-ID spoofing not to believe the caller ID displayed on their
phone by an incoming call. It violates my conscience to advertise ways to do it. However,
I feel it is only appropriate to fully expose at least one method of caller-ID spoofing simply to illustrate
how easy it is. I am surprised that it legal, but apparently it is.

SpoofCard is a commercial subscription
service. For a fee, subscribers can place their outgoing calls through the SpoofCard server instead
of directly. When placing a call, the subscriber enters the number to be called and the number to appear
on the caller ID. It's that simple.